CLAIM AMENDMENTS 



1 1 . (currently amended) A method for controlling input/output (I/O) operations of 

2 a user's computer comprising the following steps: 

3 implementing the user's computer as a virtual machine (VM); 

4 including a virtual machine monitor (VMM) as a VM-transparent interface 

5 between the VM and a physical computer system that includes at least one device; 

6 in the VMM: 

7 sensing a request for an I/O operation between the VM and the device; 

8 performing a prodotorm i nod transformation of I/O data passing between 

9 the VM and the device , said transformation being adjunct to necessary completion of 

10 the request, as issued, for the I/O operation : 

11 the transformation of the I/O data thereby being undefeatable by any usef action 

12 initiated via the VM. 

1 2. (currently amended) A method as in claim 1, in which: 

2 the device is a display; 

3 the I/O data is VM display data output from the VM and intended for display; and 

4 the pred e t e rm i n e d transformation is a replacement of at least a portion of the VM 

5 display data with non-defeatable display data stored external to the VM but accessible 

6 to the VMM; 

7 further including the step of displaying the VM display data with the non- 

8 defeatable display data overlaid. 

1 

1 3. (currently amended) A method as in claim 1 , further including the following 

2 steps: 

3 filtering the I/O data with respect to at least one pr e d e t e rm i n e d filtering condition; 

4 and 

5 performing the pr e d e t e rmin e d transformation of the I/O data only when the 

6 filtering condition is met. 

1 
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1 4. (currently amended) A method as in claim 3, in which the filtering condition is 

2 that the I/O data includes at least one prodotorm i nod restricted term. 

l 

1 5. (currently amended) A method as in claim 3, in which the filtering condition is 

2 that the I/O data is from a prodotorm i nod restricted source. 

1 

1 6. (currently amended) A method as in claim 3, in which: 

2 the I/O data includes image data; 

3 the step of filtering the I/O data comprises detecting the presence of a 

4 representation of a target image within the image data; and 

5 the prodotorm i nod transformation is substitution of a representation of a 

6 replacement image in place of the representation of the target image. 

l 

1 7. (original) A method as in claim 6, in which: 

2 the I/O data is in a non-character image format; 

3 the target image is a representation of a restricted character string; and 

4 the step of filtering the I/O data comprises applying character recognition to the 

5 I/O data, 
l 

1 8. (currently amended) A method as in claim 3, in which the prodotorminod 

2 filtering condition m is the presence in the I/O data of a copy protection indication. 

l 

1 9. (currently amended) A method as in claim 1 , in which the pr e determin e d 

2 transformation comprises insertion into the I/O data of a source indication associated 

3 with the VM. 

1 

l 10. A method as in claim 1 , in which the transformation is time-varying. 

1 

1 11. (original) A method as in claim 1 , in which the device is a network 

2 connection device. 
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3 12. (currently amended) A method as in claim 1 1 , in which the prodotorm i nod 

4 transformation is a bandwidth limiting of the I/O data being transferred between the VM 

5 and the network connection device. 
1 

1 13. (currently amended) A method as in claim 1 1, in which: 

2 the requested I/O operation is a transfer of the I/O data between the VM and the 

3 network connection device; and 

4 the prodotorm i nod transformation is a time delay of the transfer. 

l 

1 14. (currently amended) A method as in claim 1 1 , in which: 

2 the requested I/O operation is a transfer of the I/O data from the VM to a first 

3 destination address via the network connection device; 

4 the prodotorm i nod transformation is a redirection of the I/O data to a second 

5 destination address different from the first. 

1 

1 15. (currently amended) A method as in claim 1 , in which: 

2 the device is a display; 

3 the display renders data stored in a display map; and 

4 the step of performing the pr e d e t e rmin e d transformation comprises altering a 

5 selected portion of the display map. 

l 

1 16. (currently amended) A method as in claim 15, in which the step of altering 

2 the selected portion of the display data comprises substituting prodotorm i nod , non- 

3 defeatable display data for the selected portion. 

1 

1 17. (currently amended) A method as in claim 15, in which the step of altering 

2 the selected portion of the display data comprises changing all occurrences in the 

3 display map of a display color to a prod e t e rm i n e d replacement color. 

l 
l 
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1 1 8. (currently amended) A method as in claim 1 , in which: 

2 the device is a data storage device; 

3 the requested I/O operation is a transfer of data between the VM and the storage 

4 device; and 

5 the step of performing the prodotorm i nod transformation comprises changing at 

6 least a portion of the data during the transfer between the VM and the storage device. 

1 

1 19. (currently amended) A method as in claim 18, in which the step of 

2 performing the prodotorm i nod transformation of the I/O data comprises encrypting data 

3 written by the VM to the data storage device and decrypting data read from the data 

4 storage device by the VM. 

1 

1 20. (currently amended) A method as in claim 18, in which the step of 

2 performing the prodotorm i nod transformation of the I/O data comprises compressing 

3 data written by the VM to the data storage device and decompressing data read from 

4 the data storage device by the VM. 

l 

1 21 . (currently amended) A method as in claim 1 , in which: 

2 the device is a network connection device; 

3 the requested I/O operation is a transfer of data between the VM and the network 

4 connection device; and 

5 the step of performing the prodotorm i nod transformation comprises changing at 

6 least a portion of the data during the transfer between the VM and the network 

7 connection device. 

l 

1 22. (currently amended) A method as in claim 21 , in which the step of 

2 performing the prodotorminod transformation of the I/O data comprises encrypting data 

3 written by the VM to the network connection device and decrypting data read from the 

4 network connection device by the VM. 

1 
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1 23. (currently amended) A method as in claim 21 , in which the step of 

2 performing the prodotorm i nod transformation of the I/O data comprises compressing 

3 data written by the VM to the network connection device and decompressing data read 

4 from the network connection device by the VM. 

1 

1 24. (currently amended) A method as in claim 1 , in which the step of 

2 performing the prodotorm i nod transformation of the I/O data comprises cryptographic 

3 transformation of the I/O data. 

1 

1 25. (currently amended) A method as in claim + 3, in which: 

2 the VM supports a plurality of I/O modes; 

3 the step of filtering is performed on I/O data corresponding to a first one of the 

4 plurality of I/O modes; and 

5 the prodotorm i nod transformation is applied to I/O data in a second one of the I/O 

6 modes when the I/O data in the first I/O mode satisfies toe a transformation-triggering 

7 criterion. 

l 

1 26. (original) A method as in claim 25, in which the I/O modes include a video 

2 mode and an audio mode. 



1 
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1 

1 27. (currently amended) A method for controlling input/output (I/O) of a user's 

2 computer comprising the following steps: 

3 implementing the user's computer as a virtual machine (VM); 

4 including a virtual machine monitor (VMM) as a VM-transparent interface 

5 between the VM and a physical computer system that includes at least one device that 

6 carries out an I/O operation on the basis of device control data; 

7 storing the device control data associated with the VM in a buffer in the VMM; 

8 upon sensing a transformation command from an administrative system external 

9 to the VM, entering replacement data into at least a portion of the buffer said 

10 replacement data being entered as a processing step that is adjunct to the necessary 

11 completion of the I/O operation ; 

12 the entry of the replacement data thereby being undefeatable by any usef action 

13 initiated via the VM. 

1 

1 28. (currently amended) A system for controlling input/output (I/O) operations of 

2 a user's computer, comprising: 

3 a virtual machine (VM) constituting the user's computer; 

4 a virtual machine monitor (VMM) forming a VM-transparent interface between the 

5 VM and a physical computer system that includes at least one device; 

6 the VMM including means: 

7 for sensing a request for an I/O operation between the VM and the device; 

8 and 

9 for performing a predet e rm i n e d transformation of I/O data passing 

10 between the VM and the device , said transformation being adjunct to necessary 

11 completion of the reouest as issued, for the I/O operation ; 

12 the transformation of the I/O data thereby being undefeatable by any use* action 

13 initiated via the VM. 

l 
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1 29. (original) A system as in claim 28, in which the device is a display and the 

2 I/O data is VM display data. 
1 

1 30. (original) A system as in claim 29, further comprising: 

2 a display buffer within the VMM for storing the VM display data that is output from 

3 the VM and is intended for display; and 

4 transformation means located within the VMM for replacing at least a portion of 

5 the VM display data stored in the display buffer with non-defeatable display data; 

6 in which the display is provided for displaying the contents of the display buffer. 

l 

1 31 . (original) A system as in claim 28, in which the device is a data storage 

2 device. 

l 

1 32. (original) A system as in claim 28, in which the device is a network 

2 connection device. 

1 
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